News

Debian mysql-5.5 update

For the stable distribution (jessie), these problems have been fixed in version 5.5.53-0+deb8u1.

Solution is apt-get update&&apt-get -y upgrade

The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.53, which includes additional changes, such as performance improvements, bug fixes, new features, and possibly incompatible changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details:

Another Ffflash Player Critical update

Adobe has released a critical security update for Flash Player. Updates are available for Windows, Mac, Linux and Android systems.

Quote:-
Adobe is aware of reports that CVE-2013-0633 is being exploited in the wild in targeted attacks designed to trick the user into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content. The exploit for CVE-2013-0633 targets the ActiveX version of Flash Player on Windows.

Adobe is also aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content.

Brian Krebs, an IT journalist I respect, reports that a new critical Java exploit has been sold for cybercrime exploits, and appears to have been sold to at least 2 customers for $5K US ea. with a third customer paying an unknown amount.

Jan 15, 2013

Out of cycle MS security patch for Internet Explorer

Microsoft today released a patch for a critical flaw in Internet Explorer

Previously Microsoft had published a shim (Fix It Tool) that proved ineffective in preventing exploits against the browser. You can install it through Microsoft Update.

Note: if you did install the MS Fix It Tool/shim MS recommend you un-install it - though it's not mandatory.

tl;dr If you must run MS Internet Explorer, do ensure you have the latest MS updates installed.

Jan 14, 2013

Oracle release an updated Java

Version 7 update 11 has been released to address two critical flaws in the previous version that were actively being exploited.

If you really must use Java then update now, and keep Java disabled except on an application by application basis.

It's great the Oracle have released a fix so quickly. But it does little to mitigate the appalling history of insecurities associated with this clunky, unnecessary, steaming pile of merde. May Java and Ffflash both die a quick death. A pox on both their houses. (yes really).

Upgrade and unplug Java

Once again Java is not safe for general use, with at least one vulnerability being actively marketed in two major cybercrime kits, and exploits being found in the wild

As noted by Krebs, a new Java exploit has been marketed for at least the last week, and overnight DontNeedCoffee has found it actively deployed in the wild.

Java belongs in the same big round filing cabinet as Flash and PDFs. Widely deployed, popular, constantly exploited, and redundant. Much, if not all of Java's justifications for being can be fulfilled with HTML5. If you need it - make sure you are running the very latest version (v7 update 10), and unplug it except when you absolutely need to use it. You can check your version here, and download the latest version here. Instructions on how to unplug it are here.

Black Tuesday (in the USA) again

Microsoft monthly fix-what-we-forgot-to-ship day, still not safe to use Internet Explorer as anything other than a drinks coaster.

This months patches include two "critical" releases and five "important".

One of the patches addresses an exploit that has made the news recently in attacks against Internet Explorer 6 - 8 at the CFR website and is now part of at least one cybercrime toolkit. Unfortunately that patch is no longer relevant as it can be got around.

tl:dr - Run the Microsoft Update Manager - but don't run Internet Explorer.

Jan 9, 2013

Yahoo gets less stupid

Yahoo now has a HTTP option

After several years of urging, and possibly as a result of a recent, critical, 0-day xss exploit, Yahoo is finally offering SSL.

It's disabled by default (go figure).To enable the SSL option, users can go into the Options tab and click the box next to "Make your Yahoo Mail more secure with SSL". The option is not enabled by default, but that could happen in the future.

Dec 30, 2012

(another) Internet Explorer/Fffllash exploit in the wild

Several reports of what appear to be Chinese attacks utilising vulnerabilities in Internet Explorer 8 through Flash.

Darien Kindlund gives one report. Apparently Microsoft is "investigating the vulnerability at this time".

After writing that "We have chosen not to release the technical details of this exploit" (then goes on to do everything but a full analysis of the flash file).

Debian elinks programming error

Squeeze (stable), fixed in v0.12~pre5-2+squeeze1. Since the initial Squeeze release, XULRunner needed to be updated and the version currently in the archive is incompatible with ELinks. As such, JavaScript support needed to be disabled (only a small subset of typical functionality was supported anyway). It will likely be re-enabled in a later point update.

Wheezy (testing) fixed in v0.12~pre5-9

Sid (unstable) fixed in v0.12~pre5-9

tl;dr #apt-get update;apt-get upgrade

Dec 29, 2012

Debian Icedove Vulnerability

Five vulnerabilities have been discovered in Icedove, Debian's version of the Mozilla Thunderbird mail and news client.CVE-2012-4201, CVE-2012-4207, CVE-2012-4216, CVE-2012-5829, and, CVE-2012-5842

CVE-2012-4201
The evalInSandbox implementation uses an incorrect context during the handling of JavaScript code that sets the location.href property, which allows remote attackers to conduct cross-site scripting (XSS) attacks or read arbitrary files by leveraging a sandboxed add-on.

CVE-2012-4207
The HZ-GB-2312 character-set implementation does not properly handle a ~ (tilde) character in proximity to a chunk delimiter, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted document.

CVE-2012-5842
Multiple unspecified vulnerabilities in the browser engine could allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code.

Unpatched Internet Explorer Security and Privacy problem

All versions of Internet Explorer affected - Microsoft doesn't plan on fixing the problem. NOTE: Microsoft say it's a "feature, not a flaw!

This can be a serious problem if you use a virtual keyboard or keypad.

A security vulnerability in Internet Explorer, versions 6–10, allows
your mouse cursor to be tracked anywhere on the screen, even if the
Internet Explorer window is inactive, unfocused or minimised. The
vulnerability is notable because it compromises the security of
virtual keyboards and virtual keypads.

As a user of Internet Explorer, your mouse movements can be recorded
by an attacker even if you are security conscious and you never
install any untoward software. An attacker can get access to your
mouse movements simply by buying a display ad slot on any web-page you
visit.

Nick Johnson from spider.io found the flaw and notified Microsoft at the beginning of October. "Microsoft Security Research Center has acknowledged the vulnerability in Internet Explorer, they have also stated that there are no immediate plans to patch this vulnerability in existing versions of the browser."

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
apache2 apache2-doc apache2-mpm-prefork apache2-suexec-custom apache2-utils apache2.2-bin
apache2.2-common
7 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 4,240 kB of archives.
After this operation, 139 kB of additional disk space will be used.

Nov 7, 2012

Adobe APSB12-24

Adobe has released a critical security update for Flash Player and Adobe AIR that fixes at least seven major problems. Updates are available for Windows, Mac, Linux and Android systems.

Adobe has released a critical security update for its Flash Player and Adobe AIR software that fixes at least seven dangerous vulnerabilities in these products. Updates are available for Windows, Mac, Linux and Android systems.

Today’s update, part of Adobe’s regularly scheduled patch cycle for Flash, brings Flash Player to version 11.5.502.110 on Windows and Mac systems.

Debian Icedove Vulnerability

Several vulnerabilities were discovered in Icedove, Debian's version of the Mozilla Thunderbird mail and news client.
This includes several instances of use-after-free and buffer overflow issues. The reported vulnerabilities could lead to the execution of arbitrary code, and additionally to the bypass of content-loading restrictions via the location object.

For the stable distribution (squeeze), this problem has been fixed in version 3.0.11-1+squeeze13.

For the testing distribution (wheezy), this problem has been fixed in version 10.0.7-1.

For the unstable distribution (sid), this problem has been fixed in version 10.0.7-1.

TL;DR The problem has been fixed - if you have recently (in the last week) run apt-get upgrade there's no need to worry.

Oct 6, 2012

Opera UXSS flaw

A default setting in Opera web browsers allows an attacker to exploit a Data URI scheme in combination with a redirection to execute javascripts.

Barrier Reef now on Google Maps

Google Maps has just added panoramic underwater images of the Barrier Reef.

The Catlin Seaview Survey used a specially designed underwater camera, the SVII, to capture underwater imagery around the world, as part of their expedition to document the composition and health of coral reefs.

Sep 26, 2012

Another Critical Java SE flaw discovered

Researchers from Polish company Security Explorations have discovered another Java flaw that will affect about one billion users of Oracle Java SE software.

The bug(?) allows an attacker to violate a fundamental security constraint of a Java Virtual Machine (type safety).

The following Java SE versions were verified to be vulnerable:

Java SE 5 Update 22 (build 1.5.0_22-b03)

Java SE 6 Update 35 (build 1.6.0_35-b10)

Java SE 7 Update 7 (build 1.7.0_07-b10)

All tests were successfully conducted in the environment of a fully patched Windows 7 32-bit system and with the following web browser applications:

Microsoft Secure Boot isn't (secure)

NOTE: this exploit uses UEFI rather than circumventing it as some of the
earlier Windows 8 rootkits do. As a bonus UEFI rootkits don't restrict malware to assembler eg. C is supported.

ITSEC analysed the UEFI platform now that Microsoft has ported old BIOS and MBR's boot loader to the new UEFI technology in Windows 8. Andrea Allievi, a senior security researcher at ITSEC, was able to use the research to cook up what's billed as the first ever UEFI bootkit designed to hit Windows 8. The proof-of-concept malware is able to defeat Windows 8's Kernel Patch Protection and Driver Signature Enforcement policy.

The UEFI boot loader developed by Allievi overwrites the legitimate Windows 8 UEFI bootloader, bypassing security defences in the process.

"Our bootloader hooked the UEFI disk I/O routines and it intercepted the loading of the Windows 8 kernel, thus our bootkit tampered the kernel by disabling the security features used by Windows to prevent the loading of unsigned drivers," Marco Giuliani, of ITSEC.

Sep 22, 2012

Microsoft Update for Internet Explorer 10

Microsoft released an Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10

From the summary:- Microsoft is announcing the availability of an update for Adobe Flash Player in Internet Explorer 10 on all supported editions of Windows 8 and Windows Server 2012. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10.

This patch addresses two vulnerabilities in Internet Explorer 10 - both of which were fixed in updates from Adobe last month.

Sep 22, 2012

Microsoft release patch for IE flaw

Fixing five serious flaws in various versions Internet Explorer Microsoft announced they have released a patch through their Update program.

Microsoft releases partial fix for IE flaw

Microsoft announced they are "investigating" "public reports of a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9". And that they are "aware" of attacks that "attempt to exploit this vulnerability". Translated from NewSpeak into English it means they won't admit to a problem yet - so you'll have to wait for a proper fix.

Brian Krebs confirms Eric Romang's initial report that the vulnerability is being actively exploited in the wild, and that it appears to be connected to the same group of Chinese hackers responsible for unleashing a pair of Java zero-day exploits late last month.

Another Zero-Day Microsoft Exploit

A Microsoft Internet Explorer 7 and 8 zero-day attack has been found. Discovered by Eric Romang the exploit has been added to the Metasploit toolkit...

and no, despite the .swf extension the exploit doesn't actually use Ffflash.

Yet another reason to ditch Internet Explorer - for almost any other browser (sigh).

Sep 15, 2012

Microsoft still vulnerable to RTF exploits

Attackers have been targeting vulnerabilities in Microsoft Office and other products using Rich Text Format (RTF) files to carry exploits. These Microsoft security holes have been around for 3 years now, with yet another exploit recently discovered.

First reported in 2009, more information about malicious code inside Microsoft Office documents can be read here.

How might you analyze a suspicious RTF file, perhaps delivered to you or your users as an email attachment? RTFScan, now available as part of Frank Boldewin's OfficeMalScanner toolkit, can examine RTF files and assist in extracting embedded artifacts.

Jul 22, 2012

Domain registrations and renewals

You can now register, renew, and transfer domains through me to get the same low prices and the same high level of service and support all my clients receive.

Domain services are available for 40 Top Level Domains. Discounts are available where 5 and 10 year terms are available, ask me about volume discounts.

Choose your own nameservers or ask me about the right nameserver setup for your needs. I can also advise you on various mail and site hosting options and web site design - just ask!